Heads up to all WordPress.org or self-hosted WordPress blog owners and administrators. The dev team just released a maintenance and security update this morning that addresses another cross-site scripting vulnerability that affects WordPress 4.2.2 and earlier versions.
The particular XSS vulnerability that was fixed in this update allowed users who had Contributor or Author roles to compromise a site. This update also addresses an issue where a user with Subscriber permissions was able to create a draft using the Quick Draft module. Aside from those patches and fixes, WordPress 4.2.3 also contains 20 bug fixes that were present in version 4.2.
Kudos to the dev team for promptly addressing these issues and releasing a patched update. Same goes to all the persons who have discovered the security vulnerabilities and issues and practiced responsible disclosure.
WordPress users can update to the latest version automatically by heading to the admin interface and clicking on Dashboard > Updates and then clicking on Update Now. The manual update can be done by downloading WordPress 4.2.3 from the official site and uploading it via an FTP client. Sites that support and enabled the automatic background update don’t have to do anything as the software will be automatically updated once a new version is detected.
Again, before you upgrade your WordPress installation make sure that you create a backup of your database as well as deactivate all installed plugins to avoid any future problems or issues. I just upgrade to WordPress 4.2.3 a few minutes ago and thankfully the upgrade process went without a hitch.
Everyone is strongly encouraged to immediately upgrade to this maintenance and security update to avoid having your site vulnerable to these issues. Better safe than sorry folks! Have a nice day.